7 key things forensic investigators need to do

Law enforcement, government agencies and corporate enterprises alike count on their digital forensic technology to keep evolving alongside their growing needs. In 2017, OpenText™ acquired Guidance Software, makers of EnCase products for forensic investigations, endpoint security, and e-Discovery. Now, we’re excited to announce the release of version 8.07 of EnCase Forensic™ and its more expansive counterpart EnCase Endpoint Investigator™ (together, “EnCase Forensic/EI”) as part of OpenText Release 16 EP4.

This new release reflects OpenText’s ongoing commitment to law enforcement, DFIR (Digital Forensic Incident Response) and other digital investigation professionals worldwide, including the more than 6,600 that have already earned the EnCE™ certification. As we continue to enhance EnCase Forensic/EI to support this extensive base of investigative users, here are 7 key needs we are focused on:

1. Investigators need to cover all operating systems

Investigators can’t allow their efforts to be impeded by a late-generation OS. With version 8.07, EnCase Forensic/EI now supports Apple File System (APFS), enabling targeted collection of forensic data from computers running Apple High Sierra (macOS 10.13).

2. Investigators need to reach all the data

Version 8.07 enhances EnCase Forensic/EI’s encryption support, adding the ability to reach files on endpoints running BitLocker for Windows 10, Dell Data Protection 8.17, and Symantec PGP 10.3. It also supports Volume Shadow Snapshots (VSS) to recover even more deleted and modified files – as well as full volumes – from Windows systems.

OpenText EnCase Forensic/EI provides total visibility into drives and devices for forensic investigations.

3. Investigators need to span all devices

Investigators need to explore an ever-growing range of evidentiary sources, including smartphones, tablets, IoT devices and cloud storage and services. The EnCase Forensic/EI includes over 26,000 mobile device profiles built right in. They can even parse Amazon Alexa data, and we will expand into more cloud sources and devices as we continue to evolve.

4. Investigators need to be discreet

EnCase Forensic/EI leverages a lightweight, unified EnCase agent that resides at the kernel level. This allows investigators to collect discretely from laptops and other endpoints without notifying the subject (data owner, user, or person of interest). Enterprises have deployed EnCase agents on over 40 million endpoints, and can optionally activate an enhanced EnCase agent that continues the evidence collection process even when the endpoint is off-network.

5. Investigators need to work globally

Version 8.07 broadens EnCase Forensic/EI’s foreign language support, with a user interface that supports 14 different languages and an index that supports an even wider range of languages. The index also features language-specific tokenization, which is particularly helpful when investigating data in pictorial languages (like Korean).

6. Investigators need to control access

Keeping investigations exclusive to authorized personnel can be of critical importance, particularly for law enforcement and regulatory agencies. EnCase Forensic/EI supports CAC Cards and PKI for supplemental user credential control and will continue to invest in multi-factor authentication methodologies.

7. Investigators need to scale

Investigators have no choice but to search and scrutinize ever-broadening volumes of collected data. Starting with version 8.06 (released in 2017) and into the new 8.07 release, EnCase Forensic/EI features a reengineered indexing engine for dramatically faster performance and greater scalability.

Hal is the Director of Product Marketing for OpenText Discovery & Security. A licensed attorney, Hal practiced as a Wall Street litigator before commencing a career in tech that now spans over 20 years. He writes about artificial intelligence—anyone named Hal is bound to be interested in AI—and related technologies in the realms of eDiscovery, cybersecurity, compliance, and information governance.